Data breaches have hit a record high and there’s no signs of the problem slowing down. In 2023 alone, over 234 million individuals were impacted from cybersecurity breaches.
At the heart of this problem is how organizations dedicate resources to protecting customer data. One of the most business critical systems housing this data is the CRM— Salesforce specifically for more than 150,000 U.S. businesses. Yet Salesforce security blind spots remain a challenge. To address these risks, the NIST offers a roadmap for Salesforce security teams.
In February 2024, NIST released Version 2.0 of its Cybersecurity Framework, the first major update in a decade. Key changes include the new Govern function, streamlining categories to make the framework easier to use, and updates to the Respond function for more actionable incident management. The framework now applies across all industries, not just critical infrastructure.
For Salesforce security leaders, these updates will directly impact how they manage security, from aligning Salesforce practices with enterprise risk strategies to strengthening third-party app oversight. Let’s look at how these changes will shape Salesforce security operations going forward.
What is the NIST Cybersecurity Framework (CSF) 2.0?
The NIST Cybersecurity Framework was originally established by the National Institute of Standards and Technology (NIST) following a 2013 executive order from President Obama, which called for the creation of a standardized set of guidelines to improve the cybersecurity of critical infrastructure.
The goals of the framework include:
- Improving cybersecurity risk management: Helping organizations understand, prioritize, and communicate their cybersecurity efforts.
- Providing a common language: Facilitating communication across industries, sectors, and government on cybersecurity risks and mitigation.
- Enhancing resilience: Ensuring organizations can respond effectively to cyber incidents and recover operations quickly.
- Supporting flexibility: Allowing organizations to adapt the framework to their unique risks, sectors, and technologies
The NIST Cybersecurity Framework (CSF) 2.0, released in early 2024, expands on the original framework and was designed to guide organizations in managing and reducing cybersecurity risks in an even more structured, yet flexible manner. It is built around three key components: the CSF Core, CSF Profiles, and CSF Tiers.
Key Components of the NIST Cybersecurity Framework 2.0
These components work together to provide a comprehensive approach to understanding, assessing, and improving an organization’s cybersecurity posture. Each component is essential in creating a dynamic, risk-informed strategy that aligns cybersecurity activities with an organization’s unique needs, mission, and threat landscape.
1. CSF Core
At the heart of the CSF is the CSF Core, which provides a taxonomy of high-level cybersecurity outcomes. The Core is organized into six Functions: Govern, Identify, Protect, Detect, Respond, and Recover. These Functions help organizations manage cybersecurity risks across all stages of the security lifecycle:
- Govern: Ensures that cybersecurity strategy, roles, responsibilities, and policies are established and monitored, providing a foundation for all other actions.
- Identify: Focuses on understanding the organization’s assets, risks, and supply chain.
- Protect: Involves implementing safeguards to ensure critical services and assets are secured.
- Detect: Supports the timely discovery of cybersecurity events through monitoring and analysis.
- Respond: In case of a cybersecurity incident, the Respond function enables effective incident management and mitigation.
- Recover: Ensures that affected assets and operations are restored promptly.
2. CSF Profiles
The second key component is CSF Profiles, which offer a customizable way for organizations to assess and communicate their cybersecurity posture.
- Organizational Profiles describe the current and target states of an organization’s cybersecurity posture based on CSF outcomes. Profiles help tailor and communicate cybersecurity priorities and plans.
- Community Profiles: A baseline of CSF outcomes created for shared goals among multiple organizations, which can be adapted by individual organizations.
3. CSF Tiers
The third component, CSF Tiers, is a system that helps organizations evaluate the maturity and rigor of their cybersecurity risk management practices. The Tiers range from Tier 1 (Partial), where cybersecurity risk management is ad hoc, to Tier 4 (Adaptive), where cybersecurity risk is fully integrated into organizational risk management and is continuously improved. These Tiers help organizations assess their current state and set goals for improvement based on their unique risk environment.
Why the CSF Framework Is Important
The updated CSF is important across the broader landscape because it offers a common language for managing and communicating security risks, across internal and external teams, and even internationally. It also supports the integration of cybersecurity risk with broader enterprise risks including financial, reputational, and supply chain.
The flexibility of the framework allows it to pivot with constantly expanding risks, making it a vital tool for any team.
Key Updates in the 2024 NIST Cybersecurity Framework & The Impact on Salesforce Security Practices
The 2024 NIST Cybersecurity Framework (CSF) 2.0 introduces key updates designed to better align cybersecurity practices with evolving risks and governance needs. These changes, while broadly applicable, offer specific insights that can benefit Salesforce security leaders. Here’s a breakdown of the major updates and their relevance to those managing Salesforce environments.
1. Introduction of the “Govern” function
One of the most significant updates is the addition of the Govern (GV) function. This new function emphasizes the importance of cybersecurity governance and risk management strategy as an integral part of an organization’s overall enterprise risk management. The Govern function includes establishing roles, responsibilities, policies, and monitoring cybersecurity performance, ensuring that cybersecurity is not siloed but integrated into the broader business strategy.
For Salesforce security leaders, this means that the security of Salesforce instances must now be explicitly aligned with the organization’s overall risk management strategies. As CRM’s often house critical business and customer data, ensuring that Salesforce governance structures are in place—such as defined roles, policies, and ongoing monitoring—will help drive consistency and accountability across both Salesforce and the wider enterprise.
2. Expanded focus on supply chain risk management
With the increasing reliance on external vendors and global supply chains, CSF 2.0 provides more robust guidance on cybersecurity supply chain risk management (C-SCRM). This area is now incorporated into the Govern function, with specific outcomes related to managing risks introduced by third-party suppliers, products, and services. The framework emphasizes continuous monitoring of supply chain risks and collaboration with suppliers in cybersecurity planning and incident response.
This change is particularly relevant to Salesforce security leaders due to the platform’s integration with a wide array of third-party applications and services. Since integrations can cause numerous security risks, Salesforce leaders should work closely with suppliers to ensure their security standards meet the organization’s requirements. This proactive management of third-party risk will be crucial in maintaining the integrity of Salesforce environments.
3. Broader applicability across sectors and technologies
CSF 2.0 continues to be sector- and technology-neutral, but it has been expanded to address emerging technologies like cloud computing, mobile environments, and artificial intelligence (AI). The framework is designed to remain adaptable to future technological developments, providing guidance that can be applied to various ICT (Information and Communication Technology) environments, including operational technology (OT), Internet of Things (IoT), and AI systems.
For Salesforce security leaders, this broad applicability ensures that the framework remains relevant as Salesforce continues to evolve with new capabilities such as AI-powered tools and deeper integrations. CSF 2.0 can serve as a guide for managing risks associated with these innovations while ensuring alignment with broader cybersecurity practices.
4. More actionable resources
CSF 2.0 introduces a suite of online resources that supplement the core framework. These include Quick Start Guides, Informative References, and Implementation Examples. These resources are regularly updated and provide organizations with practical, actionable steps to implement the CSF and enhance their cybersecurity risk management. These tools make the framework more accessible, particularly for smaller organizations or those with limited cybersecurity expertise.
For Salesforce security leaders, these resources provide practical, hands-on tools for aligning Salesforce-specific security controls with the broader framework, allowing for more efficient integration into the organization’s existing cybersecurity posture.
5. Improved integration with other risk management programs
The new framework places greater emphasis on aligning cybersecurity with enterprise risk management (ERM) and other risk management frameworks, such as the NIST Privacy Framework and the NIST Risk Management Framework (RMF). This ensures that cybersecurity risks are viewed within the broader context of organizational risks, facilitating better decision-making at the executive level. The addition of Enterprise Risk Management Quick-Start Guides helps organizations integrate cybersecurity into their overall risk management strategies more effectively.
Salesforce security leaders can benefit from this guidance by ensuring that Salesforce security efforts are considered within the wider context of organizational risk. This alignment can help Salesforce teams articulate the risks they manage in a way that resonates with executive leadership, thus ensuring appropriate resource allocation and strategic focus.
6. Refined profile and tier structures
CSF 2.0 refines the Profiles and Tiers to provide clearer guidance on how organizations can assess and communicate their cybersecurity posture. The Tiers have been enhanced to reflect a more nuanced view of cybersecurity risk management, ranging from Tier 1 (Partial), where risk management is informal and reactive, to Tier 4 (Adaptive), where risk management is fully integrated and continuously improved.
For Salesforce security leaders, understanding where their Salesforce environment sits within these tiers can help benchmark security efforts and identify areas for improvement. Whether the goal is to move from ad-hoc, reactive management to a more mature, proactive posture, the tiered approach provides a roadmap for continuous enhancement.
7. Enhanced support for continuous improvement
Recognizing that cybersecurity threats are constantly evolving, CSF 2.0 emphasizes the need for continuous improvement in cybersecurity practices. The framework encourages organizations to regularly assess their cybersecurity posture and update their strategies and controls in response to changes in the threat landscape, new technologies, and evolving mission requirements.
Given the dynamic nature of both Salesforce and the broader threat landscape, Salesforce security leaders can leverage the guidance in CSF 2.0 to ensure that security measures evolve alongside new business needs and emerging threats.
Implementation Strategies for Salesforce Security Leaders
1. Integrate the “Govern” function into Salesforce governance
Start by establishing clear cybersecurity governance structures that explicitly include Salesforce security. This involves:
- Defining roles and responsibilities for managing Salesforce security across the organization.
- Developing or updating Salesforce-specific security policies that align with overall corporate governance.
- Implementing ongoing monitoring and reporting processes to ensure adherence to policies and to track the effectiveness of security controls.
- Engaging with senior leadership to ensure Salesforce security is integrated into enterprise risk management discussions, aligning business objectives with security practices.
2. Strengthen supply chain risk management for third-party apps
Salesforce environments often involve multiple third-party applications and integrations, making supply chain risk a critical focus area. To address this:
- Assess the security practices of all third-party vendors and integrations connected to Salesforce.
- Require suppliers to meet the organization’s cybersecurity standards, potentially integrating security clauses into contracts.
- Monitor third-party tools continuously for vulnerabilities and ensure they are included in incident response plans.
- Collaborate with IT and procurement teams to apply C-SCRM practices when selecting new vendors or renewing existing contracts for Salesforce-related services.
3. Utilize CSF online resources for practical guidance
Leverage the new Quick Start Guides, Implementation Examples, and Informative References that NIST provides:
- Use these resources to map Salesforce-specific security controls to CSF outcomes. For example, refer to implementation examples for cloud security when securing Salesforce environments.
- Adopt Quick Start Guides to help train teams on how to align Salesforce security operations with CSF 2.0 outcomes.
- Regularly check for updates on the NIST CSF website to stay current on new security practices that may be relevant for Salesforce environments.
4. Align Salesforce security with enterprise risk management
Salesforce security leaders should align their efforts with the organization’s Enterprise Risk Management (ERM) strategy:
- Collaborate with risk management teams to ensure that Salesforce-specific risks are incorporated into the larger organizational risk assessments.
- Develop Current and Target Profiles for Salesforce security that align with the CSF 2.0’s goals, helping to prioritize risk management actions and communicate security maturity to executives.
- Ensure that Salesforce security incidents and risks are reported in the same framework used for broader enterprise risk management, using consistent terminology to articulate risks and their potential impacts.
5. Assess Salesforce security maturity using CSF Tiers
Utilize the CSF Tier structure to assess and improve Salesforce security maturity:
- Conduct an internal audit to evaluate where Salesforce security practices currently stand in terms of the CSF tiers, ranging from Tier 1 (Partial) to Tier 4 (Adaptive).
- Identify gaps in the current approach and develop an action plan to progress to the next tier. For example, moving from ad-hoc incident response (Tier 1) to a structured, repeatable incident management process (Tier 3).
- Set realistic goals for improvement based on available resources, targeting areas where Salesforce security can evolve into a more proactive, risk-informed posture.
6. Promote continuous improvement and regular assessment
Emphasize continuous improvement by:
- Conducting regular reviews of Salesforce security controls and processes to ensure they are adapting to new threats and business needs.
- Implementing a feedback loop that incorporates lessons learned from incidents and vulnerabilities identified in Salesforce.
- Establishing regular security drills or incident response simulations that involve Salesforce-specific scenarios, ensuring the security team is prepared for evolving threats.
7. Enhance incident response and recovery processes
Strengthen the Respond and Recover functions to ensure that Salesforce-specific incidents are handled effectively:
- Develop Salesforce-tailored incident response plans that integrate with broader organizational response efforts, ensuring clear escalation paths and communication protocols.
- Include Salesforce assets in recovery plans to prioritize restoring critical data and functionality after an incident.
- Ensure backups of Salesforce data are maintained, tested, and quickly accessible in the event of a cybersecurity incident.
By systematically incorporating these CSF 2.0 updates into their operations, Salesforce security leaders can enhance the security, governance, and resilience of their Salesforce environments.
These steps ensure that Salesforce is fully integrated into the organization’s broader cybersecurity and risk management framework, enabling a proactive and structured approach to managing threats.
Conclusion: Embracing NIST CSF 2.0 to Strengthen Salesforce Security
The 2024 NIST Cybersecurity Framework (CSF) 2.0 introduces key updates that Salesforce security leaders should embrace to strengthen their overall security posture. Adopting these practices enhances data protection, improves incident response, and ensures business continuity—all critical for organizations relying on Salesforce.
Sonar supports these efforts by providing security leaders a full suite of Salesforce-centric security tools. Sonar helps you and your teams maintain data visibility, manage risks, and ensure compliance across your Salesforce environments and integrated tech stack. With Sonar, security teams can confidently implement the NIST framework and protect their most valuable data. Try Sonar free today.